Authenticate a first device based on a push message to a second device

ABSTRACT

Examples disclosed herein describe authenticating a first electronic device based on a push message to a second electronic device. In one implementation, a processor receives a user identifier from a first electronic device. The processor may select a message communication type based on the user identifier and transmit an authentication information request to a second electronic device using a push message communication of the selected message communication type. The processor may authenticate the user based on the received response to the request and transmit information related to the user authentication to the first electronic device.

BACKGROUND

An electronic device may authenticate a user prior to alloy the useraccess to certain data, hardware, or software. For example, a password,biometric information, or ID badge may be used to authenticate the user.The electronic device may evaluate the received authenticationinformation to determine whether to provide access to the user. Forexample, a user may not be allowed to use an electronic device untilauthenticated.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings describe example embodiments. The following detaileddescription references the drawings, wherein:

FIG. 1 is a block diagram illustrating one example of a computing systemto authenticate a first device based on a push message to a seconddevice.

FIG. 2 is a flow chart illustrating one example of a method toauthenticate a first device based on a push message to a second device.

FIGS. 3A-3C are block diagrams illustrating examples of authenticating afirst device based on a push message to a second device.

FIG. 4 is a block diagram illustrating one example of pushing to asecond electronic device an authentication request related toauthenticating a first electronic device.

DETAILED DESCRIPTION

In one implementation, an authenticating electronic device authenticatesa first electronic device based on a push message to a second electronicdevice. For example, the authenticating electronic device may receive anauthentication request from a first electronic device, and theauthenticating electronic device may push an authentication request to asecond electronic device. For example, the authenticating electronicdevice may receive an identifier associated with a user and select acommunication method and address based on the identifier. Theauthenticating electronic device may determine authenticationinformation related to the first electronic device, such as related tothe particular user, based on a response received from the secondelectronic device. The authenticating electronic device may transmit thedetermined authentication information to the first electronic device.The first electronic device may start a user session based on theauthentication information and allow a user access to particular data,software, and/or hardware on the first electronic device. As an example,the first electronic device may be a multi-functional printing device,the second electronic device may be a mobile phone associated with auser attempting to send a print job to the multi-functional printingdevice, and the authenticating electronic device may be anauthenticating server associated with an organization or anauthentication service.

Allowing a first electronic device to authenticate using anauthentication electronic device that pushes an authentication messageto a second electronic device allows for an authentication method to beused on the first electronic device that may not otherwise be availableor may be inconvenient. For example, the second electronic device mayinclude a keyboard or other input device or method not included ordifficult to use on the first electronic device. An authenticationelectronic device may allow new authentication technologies to be usedon the first electronic device without adapting the first electronicdevice to support those technologies. An authentication electronicdevice may be associated with a device such that different entities mayuse different protocols for authenticating based on the differentauthentication services provided by the authentication electronicdevice. An authentication electronic device may make authenticationprocesses more streamlined between multiple devices such that theauthenticating electronic device, may provide authentication informationto multiple devices associated with the same user or account. Using anauthentication electronic device to push an authentication message to asecond electronic device may allow the second electronic device toprovide information used for authentication without being in the sametrust domain as the first electronic device. For example, a particulartype of relationship between the first and second electronic device maynot exist, such as where the second electronic device is associated witha user, and the first electronic device is a shared device available toan entire entity.

FIG. 1 is a block diagram illustrating one example of a computing systemto authenticate a first device based on a push message to a seconddevice. The computing system 100 may include an authenticatingelectronic device 101 to authenticate a first electronic device 109based on a response to an authentication request pushed to the secondelectronic device 110.

The first electronic device 109 may be any suitable electronic devicethat authenticates a user. For example, the first electronic device 109may allow access to data, software, and/or hardware after authenticatinga user. The first electronic device 109 may include a storage forstoring authentication session information. For example, the firstelectronic device 109 may allow a user to use the first electronicdevice 109 or particular functionality of the first electronic device109 while the stored authentication session information indicates thatthe session is active. The first electronic device 109 may be, forexample, a printer, 3D printer, Internet of Things device, and/orwearable device.

The second electronic device 110 may be any suitable electronic deviceto receive and/or store authentication information. For example, thesecond electronic device 110 may be a device associated with the userbeing authenticated, such as a mobile phone, wearable device, or laptopof the user. The second electronic device 110 may be a previouslyauthenticated electronic device that stores authentication informationthat may be transmitted without receiving user input. The secondelectronic device 110 may include a keyboard or user interface to allowa user to provide input related to the authentication, such as forreceiving user input related to a password.

In one implementation, the first electronic device 109 and the secondelectronic device 110 are different types of devices. For example, thefirst electronic device 109 may be a shared office device, and thesecond electronic device 110 may be a personal electronic device. Thesecond electronic device 110 may allow for user input in a manner notallowed by the first electronic device 109. For example, the firstelectronic device 109 may be a multi-functional printer (MFP) ordisplay, and the second electronic device 110 may be a mobile phone orlaptop.

The authenticating electronic device 101 may be any suitable device fordetermining authentication information. The authenticating electronicdevice 101 may communicate with the first electronic device 109 and thesecond electronic device 110 via a network. For example, theauthenticating electronic device 101 may be a service for providing acloud server for authenticating devices. The authenticating electronicdevice 101 may include a processor 103, and a machine-readable storagemedium 104.

The processor 102 may be a central processing unit (CPU), asemiconductor-based microprocessor, or any other device suitable forretrieval and execution of instructions. As an alternative or inaddition to fetching, decoding, and executing instructions, theprocessor 102 may include one or more integrated circuits (ICs) or otherelectronic circuits that comprise a plurality of electronic componentsfor performing the functionality described below. The functionalitydescribed below may be performed by multiple processors.

The processor 102 may communicate with the machine-readable storagemedium 103. The machine-readable storage medium 103 may be any suitablemachine readable medium, such as an electronic, magnetic, optical, orother physical storage device that stores executable instructions orother data (e.g., a hard disk drive, random access memory, flash memory,etc.). The machine-readable storage medium 103 may be, for example, acomputer readable non-transitory medium. The machine-readable storagemedium 103 may include first electronic device authentication initiationinstructions 104, message type selection instructions 105, requesttransmission to second electronic device instructions 106,authentication based on response from second electronic deviceinstructions 107, and authentication transmission to first electronicdevice instructions 108.

The first electronic device authentication initiation instructions 104may include instructions to receive a request from the first electronicdevice 109 related to an authentication request. The request may includeany suitable information, such as identifier information related to theuser and the first electronic device 109. The request may be related toauthenticating for a particular task, role, or permission type on thefirst electronic device 109. The authenticating electronic device 101may receive the request via a network.

In one implementation, the authenticating electronic device 101 includesa storage to store authentication information, such as in themachine-readable storage medium 103 or in a separate storage. Forexample, when the authenticating electronic device 101 receives arequest from the first electronic device 109, the authenticatingelectronic device 101 may store related data, such as a session IDassociated with the request. The authenticating electronic device 101may update the storage record associated with the request based on thestatus of the authentication process.

The message type selection instructions 105 may include instructions todetermine a message type for requesting information from the secondelectronic device 110. For example, potential message types may includeemail, SMS, and/or direct communication through an app installed on adevice. The message type may be selected in any suitable manner, such asbased on stored information related to user preference, location, oravailable devices. The message type may be selected based on the firstelectronic device, such as where certain types of secure message typesare used by particular electronic devices for authentication. Theauthenticating electronic device 101 may send multiple messages inparallel. For example, the authenticating electronic device 101 may sendboth an email and SMS message.

The request transmission to second electronic device instructions 106may include instructions for the authenticating electronic device 101 topush an authentication message to the second electronic device 110. Themessage may be sent via the selected message type. The message may besent to a particular device or to an account from which multipleelectronic devices may be used to access the message. The authenticatingelectronic device 101 may request information from the second electronicdevice 110 to confirm that the account is accessed from a differentdevice than the first electronic device.

The authentication based on response from second electronic deviceinstructions 107 may include instructions to determine authenticationinformation based on information received from the second electronicdevice 110 in response to the authentication request. The authenticatingelectronic device 101 may use any suitable information to determine theauthenticity. The authentication may be performed in any suitablemanner, such as by comparing received information to stored informationassociated with the user.

The authentication transmission to first electronic device instructions108 may include instructions to transmit authentication information tothe first electronic device 109 from the authenticating electronicdevice 101, such as via a network. The authenticating electronic device101 may transmit any suitable authentication information to the firstelectronic device 109. For example, the authentication information maybe specific to the first electronic device 109 such that the sameauthentication information may not be used for additional electronicdevices.

In one implementation, the authenticating electronic device 101 updatesstored user authentication information after transmitting theauthentication information to the requesting device. For example, theauthenticating electronic device 101 may store information about thetransmission, such as time of authentication, or delete authenticationinformation related to a completed request.

In one implementation, the authenticating electronic device 101transmits the authentication information to additional devices. Forexample, the authenticating electronic device 101 may transmit theauthentication information to the second electronic device 110 and/or toadditional electronic devices. In one implementation, the authenticatingelectronic device 101 receives information from the first electronicdevice 109 indicating that the user is successfully authenticated on thefirst electronic device 109, such as information about the particularauthentication session, such as a user ID, session time stamp, or otherinformation related to the authenticated session.

FIG. 2 is a flow chart illustrating one example of a method toauthenticate a first device based on a push message to a second device.For example, an authentication server may push a message to a secondelectronic device to receive information used to authenticate the useron the first electronic device. The authenticating server may transmitauthentication information to the first electronic device such that theuser may begin a session on the first electronic device. The method maybe implemented, for example, by the computing system 100 of FIG. 1.

Beginning at 200, an authenticating electronic device receives a requestfrom a first electronic device to authenticate a user an the firstelectronic device. The authenticating electronic device may receive therequest in any suitable manner, such as via a network. Theauthenticating electronic device may be associated with an entity and/ora service. For example, the authenticating electronic device may beassociated with an authentication cloud service. The authenticatingelectronic device may receive any suitable information associated withthe request. For example, the authenticating electronic device mayreceive information about the user, first electronic device, or accesstype requested. The authenticating electronic device may receive userinformation related to the user to be authenticated. The useridentification information may be a user name, identifier, biometricdata, or other information to indicate a user attempting to use thefirst electronic device.

The first electronic device may be any suitable electronic device. Inone implementation, the first electronic device is shared among multipleusers that are authenticated to begin a user session. For example, thefirst electronic device may be a printer, 3D printer, and/or smartoffice device. The first electronic device may display a user interfaceto receive user input or otherwise receive input from a user initiatinga session with the first electronic device. For example, a user may scana badge or mobile phone to gain access to the first electronic device ormay use NFC to provide information from a user's device. The firstelectronic device may display a pre-configured list or other informationto allow the user to select an identifier associated with the user. Thefirst electronic device may have a browser, app, or other user interfaceto allow the user to provide information about the user identity.

The authenticating electronic device may store session informationassociated with the user identification information. The sessioninformation may be any suitable information associated with a sessionfor the user on the first electronic device. The session information mayinclude information about the user, the first electronic device, and/orthe authentication request. For example, the session information mayinclude information about the time and type of authentication request.In one implementation, the authenticating electronic device may compareinformation about the session to other session information, such as tocreate a summary of the type of authentication requests made to theauthenticating electronic device.

Continuing to 201, the authenticating electronic device selects amessage communication type. The message communication type may be anysuitable type, such as email, SMS, or direct app communication. Themessage communication type may be selected in any suitable manner, suchas based on stored settings associated with the user and/or firstelectronic device. The message communication type may be selected basedon security associated with the message type such that differentelectronic devices may authenticate using different levels of security.The authenticating electronic device may access information related toan address associated with the user for the communication type, such asan email or a phone number, in order to push the message. The useridentifier may be associated with a particular user such that theauthenticating electronic device may determine multiple messagingaddresses for the user based on the user identifier, such as where bothan email and SMS message may be sent based on the username associatedwith a service.

Continuing to 202, the authenticating electronic device transmits anauthentication request to authenticate the user to a second electronicdevice using a push messaging communication of the selected type. Forexample, the message communication type may be selected from email, SMS,biometric, or other request types. The second electronic device may be aspecified device for the message or a device selected by the user toreceive the message. For example, the message may be an SMS message thatmay be received at multiple devices, and the user may select a devicefrom which to respond. In one implementation, the authentication messageis intended for a particular device such that both a message identifierand device identifier are associated with the authentication. Themessage may be sent to a third party service that then transmits themessage to the second electronic device.

The second electronic device may display a user interface for the userto respond to the authentication method. For example, the authenticationmessage may include a URL in an email message such that the user mayopen the URL and provide additional information to be transmitted to theauthenticating electronic device. The authentication method may involvebiometric data, such as where the user provides a finger print to thesecond electronic device. The authentication of the user may bedetermined based on the user having access to the message on the secondelectronic device and/or an additional challenge to the user, such asfor a key. The message may include encrypted information that may bedecrypted by the specific user and/or request a response including anencrypted message that may be decrypted by the authenticating electronicdevice or first electronic device. In one implementation, the secondelectronic device authenticates the user without user input. Forexample, the second electronic device may include a storage withauthentication information that is transmitted to the authenticatingelectronic device. The second electronic device may determine that auser is already logged into the second electronic device, for instancebased on a session token available in the local storage or availableaccess to locally cached authentication credentials. The secondelectronic device may transmit such authentication information withoutadditional user input if determined that a user is already logged in. Inone implementation, the second electronic device includes an app orother software for generating a session token that may be used to createauthentication information to transmit to the authenticating electronicdevice. Additional electronic devices may be used for authentication,such as where information from a user device and information from acloud storage is used to transmit information to the authenticatingelectronic device.

Continuing to 203, the authenticating electronic device authenticatesthe user based on a received response to the authentication request. Forexample, the authenticating electronic device may receive any suitableinformation from the second electronic device used to authenticate thefirst electronic device. The authenticating electronic device mayreceive information that the authenticating electronic device comparesto stored information to determine authenticity. In one implementation,the second electronic device may attempt to authenticate the user andtransmit information about eventual authentication failure, such as duelocal processing errors, to the authenticating electronic device. Theauthenticating electronic device may use stored authentication orsession information to create authentication session information to beused by the first electronic device. Authenticating the user may involvecreating a device specific authentication token for the user session.The token may be created based on specific rules associated with adevice, device type, and/or entity.

Continuing to 204, the authenticating electronic device transmitsinformation related to the user authentication to the first electronicdevice to authenticate the user on the first electronic device. Theauthenticating electronic device may transmit any suitable informationusable by the first electronic device to authenticate the user. Forexample, the authenticating electronic device may transmit a token orother information. The authenticating electronic device may transmitinformation to the first electronic device such that the firstelectronic device authenticates the user based on the receivedinformation and additional information.

The first electronic device may receive the authentication informationin any suitable manner. For example, the first electronic device maypoll the authenticating electronic device to request the authenticationinformation, and the authenticating electronic device may transmit theauthentication information in response to the request. For example, theauthenticating electronic device may check the status of the usersession ID in a storage and send information about the status. Thestatus may be updated when a response is received from the secondelectronic device. In one implementation, the authenticating electronicdevice transmits the information to the first electronic device withoutreceiving a second request from the first electronic device. Forexample, the information may be automatically transmitted such that anactive communication channel is not open between the authenticatingelectronic device and first electronic device during the entireauthentication process.

The first electronic device may create a user session based on thereceived information. In one implementation, the first electronic deviceauthenticates the user based on the received information and informationstored on the first electronic device.

The authenticating electronic device may transmit authenticationinformation back to the second electronic device. For example, theauthenticating electronic device may issue token to the secondelectronic device to be stored on the second electronic device to beused for future authentication requests. The second electronic devicemay use received authentication information to allow the user access toparticular data, software, and/or hardware on the second electronicdevice.

In one implementation, the authenticating electronic device manages useraccess on multiple devices. For example, the authenticating electronicdevice may revoke tokens on per device or per user basis. Theauthenticating electronic device may update authentication based onaudits of session tokens and rules, such as related to redundancy oftokens.

FIGS. 3A, 3B, and 3C are block diagrams illustrating examples ofauthenticating a first device based on a push message to a seconddevice. FIG. 3A-3C include a user 301, first electronic device 302,authentication server 303, authentication server storage 304, and secondelectronic device 305. The user 301 may be a user assigned an account,login, identifier, or other information used to identify the user to thefirst electronic device 302. The first electronic device 302 may be anysuitable electronic device which may be accessed by the user 301. Theauthentication server 303 may be a server for determining authenticationinformation and pushing an authentication request to the secondelectronic device 305. The authentication server storage 304 may be anysuitable storage accessible by the authentication server 303 for storinginformation related to an authentication determination. The secondelectronic device 305 may be any suitable electronic device that mayreceive a message pushed from the authentication server 304. The secondelectronic device 305 may be associated with the user 301.

FIG. 3A is a block diagram showing one example 300 of an authenticationrequest pushed from an authentication server. First, a user 301 logs onor otherwise initiates a session on the first electronic device 302.Information transmitted to the authentication server may includeinformation about the requesting device, user identifier information,and meta data associated with the user. Second, the first electronicdevice 302 transmits an authentication request to the authenticationserver 303. Third, the authentication server 303 stores informationabout the request and/or authentication in the authentication serverstorage 304. For example, the authentication server 303 may store a usersession record in the authentication server storage 304. The session IDmay be used to track the state of the authentication, such as whether arequest to a second electronic device has been sent and/or a responsereceived. Fourth, the authentication server 303 pushes an authenticationmessage to the second electronic device 305. For example, theauthentication server may determine that an authentication message of aparticular type is to be used for the user or device and transmit thattype of message.

FIG. 3B is a block diagram showing one example 300 of determiningauthentication information based on information received from anauthentication request. First, the user 301 logs in or otherwiseprovides information to the second electronic device 305. Second, thesecond electronic device 305 transmits authentication informationreceived based on the user input to the authentication server 303.Third, the authentication server 303 stores information about theauthentication in the authentication server storage 304. For example,information associated with the session ID may be updated to reflect thereceived response.

FIG. 3C is a block diagram showing one example 307 of providingauthentication information to an electronic device. First, the firstelectronic device 302 requests authentication information from theauthentication server 303. Second, the authentication server 303accesses stored information from the authentication server storage 304.Third, the authentication server 303 determines authenticationinformation based on the request and the accessed stored information.Fourth, the authentication server 303 transmits information related tothe authentication determination to the first electronic device 302. Thefirst electronic device may provide user access to data, hardware,and/or software based on the received authentication information.

FIG. 4 is a block diagram illustrating one example of pushing to asecond electronic device an authentication request related toauthenticating a first electronic device. For example, theauthentication request 400 may be transmitted in parallel using multiplecommunication methods. The communication methods may be tailored to aparticular electronic device or may be transmitted to an account thatmay be accessed on multiple devices. For example, the authenticationrequest 400 is transmitted to an email server 401, SMS server 402, anduser device app 403. Transmitting multiple types of messages may allow auser to select which method and device to use for authentication, suchas which device is more accessible at the time of authentication. Usingan authenticating electronic device to push a message to a second deviceto authenticate a first device may allow for a more convenient andsecure authentication method.

The invention claimed is:
 1. A computing system, comprising: asemiconductor-based processor of an authenticating electronic device to:initiate user authentication based on a request from a first electronicdevice to authenticate a user; select a message communication type basedon a user identifier; transmit an authentication information request toa second electronic device using a push message communication of themessage communication type that is selected; authenticate the user basedon a received response to the authentication information request fromthe second electronic device via an input device of the secondelectronic device to receive the authentication information, wherein theinput device is absent from the first electronic device; transmitinformation related to authentication of the user to the firstelectronic device, wherein the authenticating electronic device, thefirst electronic device, and the second electronic device are physicallyseparate devices; and a storage to store user authenticationinformation, wherein the processor is further to store informationrelated to a user identification and authentication status in thestorage.
 2. The computing system of claim 1, wherein the processor isfurther to update the user authentication information that is stored toindicate that the authentication of the user is transferred to the firstelectronic device.
 3. The computing system of claim 1, wherein theprocessor is further to transmit the authentication information requestusing multiple message communication types in parallel.
 4. The computingsystem of claim 1, wherein transmitting the information related to theauthentication of the user comprises transmitting authenticationinformation specific to the first electronic device.
 5. The computingsystem of claim 1, wherein the processor is further to transmitinformation related to the authentication of the user to the secondelectronic device.
 6. The computing system of claim 1, wherein thesecond electronic device allows for user input in a manner not allowedby the first electronic device.
 7. A method, comprising: receiving, byan authentication electronic device, a request from a first electronicdevice to authenticate a user on the first electronic device; selectinga message communication type; transmitting an authentication request toauthenticate the user to a second electronic device using a pushmessaging communication of the message communication type that isselected; authenticating the user based on a received response to theauthentication request from the second electronic device via an inputdevice of the second electronic device to receive authenticationinformation, wherein the input device is absent from the firstelectronic device, wherein the response from the second electronicdevice comprises the authentication information stored on the secondelectronic device and transmitted to the authentication electronicdevice; and transmitting, by the authentication electronic device,authentication information to the first electronic device toauthenticate the user on the first electronic device, wherein theauthenticating electronic device, the first electronic device, and thesecond electronic device are physically separate devices.
 8. The methodof claim 7, further comprising authenticating the user, by the firstelectronic device, based on the authentication information received fromthe authentication electronic device.
 9. The method of claim 7, whereinauthenticating the user comprises creating a device authentication tokenand wherein transmitting the authentication information comprisestransmitting the device authentication token to the first electronicdevice.
 10. The method of claim 7, wherein the second electronic devicedisplays a user interface to receive authentication user input from theuser.
 11. A machine-readable non-transitory storage medium comprisinginstructions executable by a processor of an authenticating electronicdevice to: receive an authentication request from a first electronicdevice including user identification information; store authenticationinformation based on at least one of information related to the firstelectronic device and the user identification information; select anauthentication message type; push an authentication request to a secondelectronic device using the authentication message type that isselected; receive authentication information from the second electronicdevice via an input device of the second electronic device to receivethe authentication information, wherein the input device is absent fromthe first electronic device; update the authentication information thatis stored based on the authentication information that is received;generate first electronic device authentication session informationbased on the authentication information that is stored; and transmit thefirst electronic device authentication session information to the firstelectronic device, wherein the authenticating electronic device, thefirst electronic device, and the second electronic device are physicallyseparate devices, wherein the instructions to transmit the firstelectronic device authentication session information compriseinstructions to respond to a second request from the first electronicdevice for the authentication information.
 12. The machine-readablenon-transitory storage medium of claim 11, further comprisinginstructions to push the authentication request using a secondauthentication message type.